= American Privacy Rights Act =

The American Privacy Rights Act (APRA) is a comprehensive data privacy law proposed in the United States. It would place limitations on the kinds of data companies can collect about their users, create processes for users to access or remove data about them, and allow users to opt out of having their data sold by data brokers. The bipartisan proposal was revealed in April 2024 by Senator Maria Cantwell (D-WA), and Representative Cathy McMorris Rodgers (R-WA) and introduced as H.R. 8818 in June 2024. Cantwell is Chair of the Senate Committee on Commerce, Science, and Transportation and McMorris Rodgers is Chair of the House Committee on Energy and Commerce. If passed, it would supersede some state-based laws which have emerged in the absence of a comprehensive federal data privacy law. The bill underwent controversial revisions in June 2024, removing several consumer protections after pushback from House Republicans, including a section about civil rights. The changes led many privacy and civil society organizations to withdraw support, and the June 27, 2024, committee markup session was canceled amid signals from Republicans that they would block the bill if it got out of committee. The bill expired in January 2025, at the end of the 118th United States Congress, and the law has not been reintroduced As of February 2026.

== Background ==

=== Data privacy in the United States ===
The United States has no comprehensive federal data privacy statute and no national data protection authority, the only G20 country without such a law. As a result, in many states and for most companies there are few limits to how user data can be used, shared, or sold, and requirements to notify users when or how they do so are limited.

The laws which have been passed focus on specific types of data or specific populations of data subjects. The Privacy Act of 1974, the Health Insurance Portability and Accountability Act (HIPAA) of 1996, and the Children's Online Privacy Protection Act (COPPA) of 1998, for example, regulate the use of data by federal agencies, how patients' health data is communicated, and aspects of collecting data about children. In the absence of a federal data privacy law, several states have passed laws like the 2008 Biometric Information Privacy Act in Illinois and the 2018 California Consumer Privacy Act (CCPA). As of 2025, nineteen states had enacted comprehensive data privacy legislation. Proponents of broad data privacy legislation argue that it provides a more effective and durable solution to the problems many narrower bills attempt to address through focus on specific companies like TikTok.

=== Previous comprehensive data privacy bills ===
There have been multiple attempts to pass a comprehensive data privacy law, such as the Personal Data Privacy and Security Act of 2009 and the American Data Privacy and Protection Act (ADPPA) in 2022. Both had bipartisan support and passed committees, but were not brought up for a vote. A common sticking point in debates over these laws, including the APRA, is the extent to which the federal law would preempt current or future state laws. There has also been disagreement about enforcement, including whether users could use the laws as a basis to sue companies directly (a private right of action) for privacy violations. Senator Cantwell, one of the lawmakers behind the APRA, opposed the ADPPA on the basis of its enforcement, which is part of why it ultimately stalled, according to The Verge.

The idea of a comprehensive federal data protection law gained increased attention and support in the early 2020s. Privacy experts, technology journalists, and consumer advocacy organizations have spoken in support of ADPPA and others, like APRA, which focus on "data minimization" rather than "notice and consent" ("notice and choice") frameworks. Notice and consent is the standard, widely criticized for its failure to provide real protections for user privacy, by which a company displays a notification to users inviting them to read lengthy legal documents about their use of data and asking them to accept the terms in order to continue using the website or application. Data minimization places limits on what data can be collected in the first place rather than simply dictate how use of data is communicated. US President Joe Biden included the importance of such a data privacy law in his 2023 State of the Union address.

== Legislative history ==

The bipartisan proposal was released in April 2024 by two Washington lawmakers, Senator Maria Cantwell and Representative Cathy McMorris Rodgers. Cantwell is a Democrat who serves as Chair of the Senate Committee on Commerce, Science, and Transportation and McMorris Rodgers is a Republican who chairs the House Committee on Energy and Commerce. Aspects of the law were written to overcome objections to the ADPPA. Cantwell had opposed the earlier law on the basis of lack of private right of action, which APRA includes, and while the initial draft would have still preempted most state laws, the aim was to incorporate elements of stronger laws to get around those states' objections.

The bill underwent a series of revisions in early June 2024, prior to its introduction. Those revisions made concessions to Democratic lawmakers by preempting fewer state laws, and to Republican lawmakers who wanted to remove civil rights protections and AI regulation. The bill was introduced as H.R. 8818 on June 25, 2024, with markup scheduled to begin on June 27. When the markup date arrived, the session was canceled amid reports that Republican leaders had signaled they would not permit the bill to move forward regardless of committee decisions. The private right of action was flagged by House Majority Leader Steve Scalise as a point of contention, which remained after the changes. At the end of the 118th United States Congress, in January 2025, the bill expired, and has not been reintroduced As of February 2026.

== Provisions ==
The American Privacy Rights Act aims to create a national baseline for individual data privacy rights and establish mechanisms for oversight, enforcement, and accountability. Its major provisions include:

- Giving users more control over their data, including the ability to:
  - access the data companies have about them, as well as make changes or remove such data;
  - opt-out of having their data sold or used for personalized advertising.
- Data minimization and transparency for companies collecting data:
  - restricting data collection to that which is reasonable and proportionate to provide services to the user;
  - creating a higher standard of consent for sensitive data like biometric data, geolocation data, and government identifiers;
  - requiring documentation of what data is collected, how it is used or shared, and any algorithmic decision-making processes applied to the data.
- Restricting the ability of companies to impose mandatory arbitration.
- Creating a registry for data brokers, companies that collect and sell personal data, and requiring brokers comply with opt-out requests within 30 days.
- Enforcement mechanisms:
  - additional enforcement mechanisms, including private right of action and rules to be developed by the Federal Trade Commission (FTC);
  - empowering state attorneys general to enforce the act on behalf of residents;
  - expanding some of the California law's enforcement mechanisms to allow private citizens to sue companies for violations;
  - a 60-day window for companies to make a correction after being notified of a violation to avoid a court order, except in cases of a "substantial privacy harm".
- Preempting, or invalidating, state private laws.

The legislation would apply to most businesses that collect or process personal data, with a limited exemption for small businesses with less than $40 million in revenue, as long as they handle minimal, non-sensitive data. Companies that process a lot of data, especially sensitive data, and have revenue over $250 million are classified as "large data holders" and subject to additional transparency, reporting, and operational requirements.

=== June 2024 revisions ===
In June 2024, prior to a committee markup session, the bill was subject to several controversial revisions. Following objections from Republican lawmakers, a section on civil rights protections was removed. Sections on AI and algorithms were also cut. The changes also weakened data minimization principles, regarding data kept on a user's device as exempt. The extent to which the bill would preempt state privacy laws changed as well, preempting only those laws with a scope similar to the APRA but allowing states to have stricter or more specific requirements. Other sections were added or expanded, such as new "Privacy By Design" requirements, additional obligations for data brokers, and a provision which would allow users to request humans make "consequential decisions" rather than algorithms.

== Reception ==

=== Original draft ===
According to The Washington Post in April 2024, the law is a "major breakthrough" in an "issue that has befuddled lawmakers despite near-universal agreement -- in Silicon Valley and in Washington -- on the need for federal standards to determine how much information companies can collect from consumers online".

McMorris Rodgers' Democratic counterpart on the House committee, Frank Pallone of New Jersey, called the draft "very strong" but said he wanted to see greater protections applied to children. Representative Jan Schakowsky, Ranking Member on the committee's Innovation, Data, and Commerce subcommittee, expressed optimism about the proposal and cited "an urgency that's felt to get this done".

The digital rights advocacy organization Electronic Frontier Foundation was positive about the basic components of the bill, but presented many ways in which the bill should be strengthened or modified to increase consumer protections, including allowing states to pass more strict laws and limiting the extent to which companies can share data with the government.

Stewart Baker, in the Volokh Conspiracy, criticized the bill's requirement that companies assess the extent to which their algorithms harm certain groups more than others and document any measures they take to mitigate such harms. Baker argued that efforts to curb discrimination would themselves lead to discrimination against other groups. Advertising industry advocates and other critics expressed concern at the way restrictions on data security and targeted advertising could affect dominant business models, creating a situation that larger companies may be better able to adapt to than small businesses.

=== June 2024 revisions ===
The June 2024 revisions were criticized by privacy rights groups. The removal of civil rights protections provisions in particular led dozens of data privacy, internet rights, and civil rights groups to express objections or withdraw support. The American Civil Liberties Union, Center for Democracy and Technology, and the NAACP, for example, issued critical statements. According to Wired, the new version was "engineered to appease conservative lobbyists representing the interests of big business," but even after the changes, Republican leadership signaled they would not support it even with the changes, leading the markup session to be canceled.
